b'                                                                             Report No. DODIG-2014-117\n\n\n\n              I nspec tor Ge ne ral\n                                                U.S. Department of Defense\n\n              september 17, 2014\n\n\n\n\n                     Quality Control Review of Army\n                     Audit Agency\xe2\x80\x99s Special Access\n                     Program Audits\n\n\n\n\nI n t e g r i t y \xef\x82\xab e f f i c i e n c y \xef\x82\xab a c c o u n ta b i l i t y \xef\x82\xab e x c e l l e n c e\n\x0c    I n t e g r i t y \xef\x82\xab e f f i c i e n c y \xef\x82\xab a c c o u n ta b i l i t y \xef\x82\xab e x c e l l e n c e\n\n\n\n\n                                         Mission\n       Our mission is to provide independent, relevant, and timely oversight\n       of the Department of Defense that supports the warfighter; promotes\n       accountability, integrity, and efficiency; advises the Secretary of\n                  Defense and Congress; and informs the public.\n\n\n\n                                          Vision\n       Our vision is to be a model oversight organization in the Federal\n       Government by leading change, speaking truth, and promoting\n       excellence\xe2\x80\x94a diverse organization, working together as one\n                professional team, recognized as leaders in our field.\n\n\n\n\n                                     Fraud, Waste & Abuse\n\n                                     HOTLINE\n                                     Department of Defense\n                                     dodig.mil/hotline | 8 0 0 . 4 2 4 . 9 0 9 8\n\n\n\n\nFor more information about whistleblower protection, please see the inside back cover.\n\x0c                                 INSPECTOR GENERAL\n                                DEPARTMENT OF DEFENSE\n                                4800 MARK CENTER DRIVE\n                             ALEXANDRIA, VIRGINIA 22350-1500\n\n\n\n                                                                           September 17, 2014\n\nMEMORANDUM FOR AUDITOR GENERAL, DEPARTMENT OF THE ARMY\n\nSUBJECT: Quality Control Review of Army Audit Agency\xe2\x80\x99s Special Access Program Audits\n         (Report No. DODIG-2014-117)\n\nWe are providing this report for your information and use. \xe2\x80\x89We reviewed the Army\nAudit Agency\xe2\x80\x99s (AAA) system of quality control over Special Access Programs (SAP)\naudit reports issued for two fiscal years ended September 30, 2013.           The generally\naccepted government auditing standards (GAGAS) require that an audit organization\nperforming audits and/or attestation in accordance with GAGAS should have an\nappropriate internal quality control system in place and undergo an external peer review\nat least once every 3 years by reviewers independent of the audit organization being\nreviewed. As the organization that has audit policy and oversight responsibilities for audits\nin the DoD, we conducted the external quality control review of the AAA SAP audits in\nconjunction with the Naval Audit Service\xe2\x80\x99s review of the AAA non-SAP audits.\n\nAn audit organization\xe2\x80\x99s quality control policies and procedures should be appropriately\ncomprehensive and suitably designed to provide reasonable assurance of meeting the\nobjectives of quality control. We tested the AAA SAP system of quality control for audits to\nthe extent considered appropriate.\n\nFederal audit organizations can receive a rating of pass, pass with deficiencies, or fail. In\nour opinion, the system of quality control for the audit function of AAA SAP in effect for the\nperiod ended September 30, 2013, was designed in accordance with quality standards\nestablished by GAGAS. Accordingly, we are issuing a pass opinion on your SAP audit\nquality control system for the review period ended September 30, 2013.\n\nAppendix A contains comments, observations, and recommendation where AAA can improve\nits quality control system. Appendix B contains the scope and methodology of the review.\n\nWe appreciate the courtesies extended to the staff. For additional information on this\nreport, please contact Ms. Carolyn R. Davis at (703) 604-8877 (DSN 664-8877) or\nCarolyn.Davis@dodig.mil.\n\n\n\n\n\t                                               Randolph R. Stone\n\t                                               Deputy Inspector General\n\t                                               Policy and Oversight\n\n\n\n                                                                                  Report No. DODIG-2014-117\xe2\x94\x82 i\n\x0c            Contents\n            Appendixes\n            Appendix A. Comments, Observations, and Recommendation_ _____________________________1\n            Appendix B. Scope and Methodology _ ________________________________________________________4\n\n            Management Comments_______________________________________________________6\n            Acronyms and Abbreviations _______________________________________________8\n\n\n\n\nii \xe2\x94\x82 Report No. DODIG-2014-117\n\x0c                                                                                                          Appendixes\n\n\n\n\nAppendix A\nComments, Observations, and Recommendation\nWe are issuing a pass opinion because we determined that the Army Audit\nAgency\xe2\x80\x99s (AAA) quality control system is adequately designed and functioning as\nprescribed.     The concerns we identified during our review of the selected AAA\naudit reports were not cumulatively significant enough to indicate that material\ndeficiencies existed in the AAA quality control system for complying with generally\naccepted government auditing standards (GAGAS).               We assessed two of the three\naudit reports in our sample for compliance with the 2007 revision of GAGAS\nbecause those audits began before the GAGAS 2011 requirements were implemented.\nHowever, we identified issues that are still applicable even when we apply the\n2011 revision of GAGAS.\n\nWe      identified   areas    of   concern    relating   to    quality   control   and          audit\ndocumentation.       We judgmentally tested the reports for compliance with GAGAS\nand AAA audit policies in nine areas: quality control, audit documentation,\nindependence, professional judgment, competence, audit planning, supervision,\nevidence, and reporting.\n\n\nQuality Control\nGAGAS 3.91 (2011 revision) and GAGAS 3.53e (2007 revision) states that\naudit     organizations      should   establish    policies   and    procedures        for      audit\nperformance, documentation, and reporting that are designed to provide the\naudit organization with reasonable assurance that audits are performed and\nreports are issued in accordance with professional standards and legal and\nregulatory requirements.\n\nUS Army Audit Agency Regulation No. 36-3, \xe2\x80\x9cAudit Survey and Execution,\xe2\x80\x9d dated\nAugust 1, 2011, Chapter 10, Section 10-1d, \xe2\x80\x9cCross-Referencing Working Papers,\xe2\x80\x9d states:\n\n              any information (facts, figures, or other data) contained in a working\n              paper and used in a report must have a specific cross-reference to\n              the report. Auditors should cross-reference to supporting working\n              papers whenever possible and only cross-reference a draft report\n              to summary working papers when the conclusions in the report are\n              a consolidation of many working papers. \xe2\x80\x89As a minimum, auditors\n              should cross-reference the following:\n\n\n\n\n                                                                                             Report No. DODIG-2014-117\xe2\x94\x82 1\n\x0cAppendixes\n\n\n\n                                 (1)\t Audit Program. \xe2\x80\x89Auditors should cross-reference the audit\n                                      program to the supporting and summary working papers.\n\n                                 (2)\t Working Papers. \xe2\x80\x89Auditors should cross-reference working\n                                      papers to the audit program, related working papers, evidentiary\n                                      or source documentation, summary working papers, and the\n                                      draft report.\n\n\n                  We found that for two1 of the three audits reviewed, the auditors did not\n                  follow the AAA audit policy relating to quality control. \xe2\x80\x89The auditors either did\n                  not cross\xe2\x80\x91reference audit steps in the audit plan to supporting documentation\n                  or document that the audit steps did not apply after the auditors obtained\n                  additional documentation.\n\n\n                  Audit Documentation\n                  GAGAS 6.79 (2011 revision) and GAGAS 7.77 (2007 revision) states that\n                  auditors must prepare audit documentation related to planning, conducting,\n                  and reporting for each audit. \xe2\x80\x89Auditors should prepare audit documentation\n                  in sufficient detail to enable an experienced auditor, having no previous\n                  connection to the audit to understand from the audit documentation the nature,\n                  timing, extent, and results of audit procedures performed, the audit evidence\n                  obtained, and its source and the conclusions reached including evidence that\n                  supports the auditors\xe2\x80\x99 significant judgments and conclusions.\n\n                  US Army Audit Regulation No. 36-3, \xe2\x80\x9cAudit Survey and Execution,\xe2\x80\x9d dated\n                  August 1, 2011, Chapter 11-1, \xe2\x80\x9cAudit File Organization,\xe2\x80\x9d states:\n\n                                 auditors should place working papers and other audit files\n                                 into logically organized folders. \xe2\x80\x89The working paper folders\n                                 serve as the \xe2\x80\x9cmaster index\xe2\x80\x9d of all working papers, files, and\n                                 products related to the audit. Auditors should index and save all\n                                 documents and other files supporting the working papers to\n                                 properly named subfolders.\n\n\n                  We found that for two2 of the three audits reviewed, the auditors did not\n                  properly follow AAA audit policies and organize folders. \xe2\x80\x89For one audit, the auditors\n                  did not include a master index to address which folder the working papers were\n\n\n                  \t1\t\n                      One audit was conducted under the 2007 GAGAS requirements while the other audit was conducted under the 2011\n                      GAGAS requirements.\n                  \t2\t\n                      One audit was conducted under the 2007 GAGAS requirements while the other audit was conducted under the 2011\n                      GAGAS requirements.\n\n\n\n\n2 \xe2\x94\x82 Report No. DODIG-2014-117.\n\x0c                                                                                           Appendixes\n\n\n\nlocated or how many binders completed the audit. For another audit, information\nwas contained in unclassified automated working papers, but the classified\nworking papers were not properly indexed to indicate that unclassified working\npapers existed.\n\nDuring our review, the AAA Audit Quality and Assurance Branch issued a\nquality assurance report on April 24, 2014, on the SAP audits that identified\nthe issue of indexing and audit documentation. \xe2\x80\x89The Acting Program Director for\nAAA Security and Intelligence Audits issued a memorandum on April 30, 2014,\nto address the issues identified in the quality assurance report. \xe2\x80\x89Specifically,\nthe memorandum addressed that manual working papers should contain a\nmaster index, and that audits using both manual working papers and automated\nworking papers contain a master index and the number of binders used to\nstore the working papers. \xe2\x80\x89The master index must indicate the location of\nthe manual files and the name of the automated system where the audit\nfiles are stored.\n\nThe Acting Program Director\xe2\x80\x99s action addresses the issues that we identified\nduring our review of this area.\n\n\nRecommendation\nWe   recommend         that   the   Acting   Program   Director   AAA   Security   and\nIntelligence Audits:\n\nRemind auditors to follow AAA guidance for cross-referencing working papers\nto include the referencing of the audit plan to working papers to support\naudit steps.\n\n\nManagement Comments\nThe AAA Auditor General concurred. The Acting Program Director for Intelligence\nand Security Audits sent an e-mail on August 26, 2014, to all SAP personnel\ndiscussing the results of the peer review and re-emphasizing the need for auditors\nto fully cross\xe2\x80\x91reference working papers. AAA also plans to discuss the requirement\nin detail to fully cross-reference working papers to supporting audit steps during\nthe Intelligence and Security Audit Team\xe2\x80\x99s meeting scheduled in November 2014.\n\n\nOur Response\nAAA comments were responsive. No additional comments are needed.\n\n\n\n\n                                                                              Report No. DODIG-2014-117\xe2\x94\x82 3\n\x0cAppendixes\n\n\n\n\n                  Appendix B\n                  Scope and Methodology\n                  We limited our review to the adequacy of AAA SAP audits\xe2\x80\x99 compliance with\n                  quality policies, procedures, and standards. \xe2\x80\x89We judgmentally selected 3\xc2\xa0 SAP\n                  audit from a universe of 11 SAP audit reports issued by AAA SAP auditors during\n                  FY\xc2\xa0 2012 and FY\xc2\xa0 2013. We tested each audit for compliance with the AAA system\n                  of quality control. The Naval Audit Service conducted a review of the AAA internal\n                  quality control system for non-SAP audits and/or attestation engagements and will\n                  issue a separate report. \xe2\x80\x89The Deputy Inspector General for Policy and Oversight\n                  will issue an overall opinion report on the AAA internal quality control system\n                  that will include the combined results of the SAP and non-SAP audit reviews. In\n                  performing our review, we considered the requirements of quality control standards\n                  contained in both the 2011 and 2007 revisions of GAGAS issued by the Comptroller\n                  General of the United\xc2\xa0 States. \xe2\x80\x89Both GAGAS\xc2\xa0 3.96 (2011 revision) and GAGAS\xc2\xa0 3.56\n                  (2007 revision) contain a requirement for anexternal peer review at least once\n                  every 3\xc2\xa0years. GAGAS\xc2\xa03.96 (2011 revision) states:\n\n                                 The audit organization should obtain an external peer\n                                 review at least once every 3 years that is sufficient in scope\n                                 to provide a reasonable basis for determining whether, for\n                                 the period under review, the reviewed audit organization\xe2\x80\x99s\n                                 system of quality control was suitably designed and\n                                 whether the audit organization is complying with its quality\n                                 control system in order to provide the audit organization\n                                 with reasonable assurance of conforming with applicable\n                                 professional standards.\n\n                  We conducted this review in accordance with standards and guidelines established\n                  in both the March 2009 and the November 2012 update to the Council of the\n                  Inspectors Generals on Integrity and Efficiency \xe2\x80\x9cGuide for Conducting External\n                  Peer Reviews of Audit Organizations of the Federal Offices of Inspector General,\xe2\x80\x9d\n                  and the Quality Standards for Inspection and Evaluation. The Naval Audit Services\n                  used this guide in reviewing non-SAP audits at the AAA.             We reviewed audit\n                  documentation, interviewed AAA auditors, and reviewed AAA audit policies. \xe2\x80\x89We\n                  reviewed the DoD OIG Report No. \xe2\x80\x89DODIG-2012-045, \xe2\x80\x9cQuality Control Review of\n\n\n\n\n4 \xe2\x94\x82 Report No. DODIG-2014-117.\n\x0c                                                                                         Appendixes\n\n\n\nArmy Audit Agency\xe2\x80\x99s Special Access Program Audits,\xe2\x80\x9d dated January 27, 2012. \xe2\x80\x89\nWe performed this review from April to June 2014 at one AAA office.\n\nTo select the audits under review, we:\n\n        \xe2\x80\xa2\t began with the FY 2013 audits reports in order to review the most\n          current quality assurance procedures in place,\n\n        \xe2\x80\xa2\t eliminated audit reports produced from the same project, and\n\n        \xe2\x80\xa2\t eliminated audits that have the same or similar titles to ensure review\n          of multiple types of projects.\n\nOur review would not necessarily disclose all weaknesses in the system of quality\ncontrol of all instances of noncompliance because we based our review on selective\ntests. \xe2\x80\x89There are inherent limitations in considering the potential effectiveness of\nany quality control system. In performing most control procedures, departures can\nresult from misunderstanding of instructions, mistakes of judgment, carelessness,\nor other human factors. \xe2\x80\x89Projecting any evaluation of a quality control system\ninto the future is subject to the risk that one or more procedures may become\ninadequate because conditions may change or the degree of compliance with\nprocedures may deteriorate.\n\n\n\n\n                                                                            Report No. DODIG-2014-117\xe2\x94\x82 5\n\x0cManagement Comments\n\n\n\n\n                  Management Comments\n\n                                                          DEPARTMENT OF THE ARMY\n                                                                U.S. ARMY AUDIT AGENCY\n                                                        OFFICE OF THE DEPUTY AUDITOR GENERAL\n                                                   FINANCIAL MANAGEMENT AND COMPTROLLER AUDITS\n                                                             6000 6TH STREET, BUILDING 1464\n                                                              FORT BELVOIR, VA 22060-5609\n\n\n\n\n                           SAAG-FMZ                                                               2 September 2014\n\n\n                           MEMORANDUM FOR Deputy Inspector General for Policy and Oversight, Office of the\n                           Inspector General, Department of Defense, 4800 Mark Center Drive, Alexandria, VA\n                           22350-1500\n\n                           SUBJECT: Quality Control Review of U.S. Army Audit Agency\xe2\x80\x99s Special Access\n                           Program Audits (Project Number: D2014-DAPOIA-0059.000)\n\n\n                           1. We are providing our written response (enclosure) to the quality review report dated\n                           22 August 2014. We concur with the recommendation in the report.\n\n                           2. We thank you and your staff for their professionalism in performing the peer review\n                           and for bringing to our attention areas in which we can improve our operations. We\n                           agree with your conclusion that our system of quality control was operating effectively to\n                           provide reasonable assurance that special access program personnel were following\n                           established policies, procedures, and applicable auditing standards.\n\n                           3. If you have any questions or need additional information, please contact me or\n                           Ms. Theresa Corbett at (703) 428-7213 or e-mail theresa.r.corbett.civ@mail.mil.\n\n                           FOR THE AUDITOR GENERAL:\n\n\n\n\n                           Encl                                     KEVIN F. KELLY\n                                                                    Deputy Auditor General\n                                                                    Financial Management\n                                                                      and Comptroller Audits\n\n\n\n\n6 \xe2\x94\x82 Report No. DODIG-2014-117\n\x0c                                                                                    Management Comments\n\n\n\n\nManagement Comments (cont\xe2\x80\x99d)\n\n\n             Comments on Recommendation in Quality Control Review\n            of U.S. Army Audit Agency\xe2\x80\x99s Special Access Program Audits\n                     (Project Number: D2014-DAPOIA-00059.000)\n\n\n Overall. We fully agree with your overall conclusion that U.S. Army Audit Agency\xe2\x80\x99s\n (USAAA\xe2\x80\x99s) system of quality control for special access programs was operating\n effectively to provide reasonable assurance that personnel were following established\n policies, procedures, and applicable auditing standards. We also appreciate the\n recommendation for corrective action you provided. The following comments describe\n the actions we took for the recommendation in the report.\n\n Recommendation. The Acting Program Director for Intelligence and Security Audits\n should remind auditors to follow USAAA guidance for cross-referencing working papers\n to include the referencing of the audit plan to working papers to support audit steps.\n\n     USAAA Comments. Concur. On 26 August 2014, the Acting Program Director\n     sent an e-mail to all special access program personnel discussing the results of the\n     peer review and re-emphasizing the need for auditors to fully cross-reference\n     working papers. In addition, the requirement to fully cross-reference working papers\n     to supporting audit steps will be discussed in detail during the planned Intelligence\n     and Security Audit Team\xe2\x80\x99s upcoming team meeting in November 2014.\n\n\n\n\n                                            2\n\n\n\n\n                                                                                    Report No. DODIG-2014-117 \xe2\x94\x82 7\n\x0cAcronyms and Abbreviations\n\n\n\n\n                  Acronyms and Abbreviations\n                        AAA     Army Audit Agency\n                     GAGAS      Generally Accepted Government Auditing Standards\n                         SAP    Special Access Programs\n\n\n\n\n8 \xe2\x94\x82 Report No. DODIG-2014-117\n\x0c            Whistleblower Protection\n           U.S. Department of Defense\nThe Whistleblower Protection Enhancement Act of 2012 requires\nthe Inspector General to designate a Whistleblower Protection\nOmbudsman to educate agency employees about prohibitions\non retaliation, and rights and remedies against retaliation for\nprotected disclosures. The designated ombudsman is the DoD Hotline\nDirector. For more information on your rights and remedies against\n     retaliation, visit www.dodig.mil/programs/whistleblower.\n\n\n\n\n   For more information about DoD IG\n  reports or activities, please contact us:\n                      Congressional Liaison\n               congressional@dodig.mil; 703.604.8324\n\n                             Media Contact\n                public.affairs@dodig.mil; 703.604.8324\n\n                        Monthly Update\n                dodigconnect-request@listserve.com\n\n                       Reports Mailing List\n                     dodig_report@listserve.com\n\n                               Twitter\n                         twitter.com/DoD_IG\n\n                           DoD Hotline\n                          dodig.mil/hotline\n\x0cD e pa r t m e n t o f D e f e n s e \xe2\x94\x82 I n s p e c t o r G e n e r a l\n                     4800 Mark Center Drive\n                   Alexandria, VA 22350-1500\n                         www.dodig.mil\n                 Defense Hotline 1.800.424.9098\n\x0c'